Secondary menu

SAP Security Notes June 2013

Welcome to our first SAP Security Advisory Post. Depending on feedback, we will outline all SAP Security notes issued by SAP each following month and make these available to you. As you know, each SAP Security with vulnerabilities is generally rated with a Common Vulnerability Scoring System (CVSS V 2.0) code. The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. SAP is adopting CVSS version 2.0.

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS consists of 3 groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10, and a Vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user’s environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

We will issue tips & tricks and additional Vulnerability issues in future Newsletters as well as what your organization can do to be prepared and informed about potential risks to your SAP infrastructure. Below the outline of all SAP Security notes issued in June 2013:In June 2013, SAP released 33 security related OSS notes. Below the statistics:

8 Notes are not rated with a CVSS score

11 Notes are rated with a CVSS score between 3.5 to 5.0

15 Notes are rated with a CVSS score of 6 and above

Number

Short text

Released On

CVSS

1820777

Update 1 to SAP security note 1755108

24.06.2013

7.00

1838814

Unauthorized modification of stored content in cFolders

10.06.2013

1842218

Missing authorization check in PS

10.06.2013

6.00

1842406

Missing authorization check in in package SICM

10.06.2013

3.50

1843082

Missing authorization check in RSDUMPSOURCE

10.06.2013

4.00

1844202

SUIM| RSUSR002 User &#39;…………&#39; is not found

10.06.2013

4.60

1846952

Missing authorization check in BPC Web Services

10.06.2013

6.00

1847645

Missing authorization check in BC-BMT-WFM

10.06.2013

3.60

1848319

Missing authorization check in BC-ABA-TV

10.06.2013

6.00

1848996

Missing authorization check in BC-ILM-LCM

10.06.2013

6.00

1849559

Code injection vulnerability in BW-WHM-DST

10.06.2013

6.00

1849744

Missing authorization check in SAP_BASIS

10.06.2013

1851914

Potential remote code execution in EAServer

10.06.2013

10.00

1852064

Directory traversal in EAServer

10.06.2013

7.50

1853161

Privilege Escalation in ABAP Source Code Editor

10.06.2013

3.60

1853852

Missing authorization check in IS-B-BCA

10.06.2013

4.90

1858107

Potential disclosure of persisted data in EAServer

10.06.2013

7.80

1630309

Unauthorized modification in BSP application in CRM-IC-FRW

10.06.2013

1753737

Unauthorized modification of displayed content in BOE

10.06.2013

4.30

1774270

Update 1 to security note 1500050

10.06.2013

1774432

Missing authorization check in ST-PI

10.06.2013

4.60

1781594

Code injection vulnerability in component BC-SRV-ALV

10.06.2013

6.00

1805024

Missing authorization check in SAP profile functions

10.06.2013

6.80

1806098

Unauthorized Use of Application Functions in REST Interface

10.06.2013

1816331

Code injection vulnerability in BC-SRV-ALV

10.06.2013

6.00

1816989

Potential information disclosure relating to EPCM data bag

10.06.2013

5.00

1822847

Potential information disclosure in PI

10.06.2013

4.00

1826162

Update 1 to security note 1674132

10.06.2013

1831463

Potential modification of persisted data in upgrade tools

10.06.2013

4.90

1831985

Command injection vulnerability in SAP Netweaver IdM

10.06.2013

1834935

Missing authorization check in LO-GT-TEW

10.06.2013

6.00

1835666

Missing authorization check in PDS_MAINT

10.06.2013

6.00

1836717

Hard-coded profiles in BW-BEX-ET

10.06.2013

6.50

The SAP note with the highest score is 1851914 Potential remote code execution in EAServer: This Note addresses the issue where an attacker can exploit EAServer to enable them to remote code execution, including viewing, changing, or deleting data. We advise you, if this note is of interest to you, to review the following 2 notes as well as these are also related to EAServer:

1852064

Directory traversal in EAServer

please review

1858107

Potential disclosure of persisted data in EAServer

please review

We recommend that companies review the high priority notes published on the SAP Service marketplace and apply these without delays after validating the impact to your business operations.

Below a few other notes that are worth to review as these are interesting and SAP puts a High Priority to have these notes applied to your system:

1781594

Code injection vulnerability in component BC-SRV-ALV

The program code contains a possibility to define and execute user-defined code that changes the behavior of the system. A valid and authenticated user is required. Depending on the code, the user can: inject and run their own code, obtain additional information that should not be displayed, modify data, delete data, modify the output of the system, create new users with higher privileges, perform a denial of service attack.

1805024

Missing authorization check in SAP profile functions

The functions of the SAP profile do not contain authorization checks for checking an authenticated user’s authorization to access some of its functions. This may result in undesired system behavior.

1831985

Command injection vulnerability in SAP Netweaver IdM

An end user can assign himself any business role or potentially also any privilege without that an approval is done. A valid and authenticated user is required.

1836717

Hard-coded profiles in BW-BEX-ET

The vulnerability is caused by a hard-coded profile in the program’s source code. An attacker who specifies these credentials can log on to the system without having been assigned legitimate access by the system administrator(s). If a user already has privileges with which they can log on, an escalation of privileges may be possible if the hard-coded account has higher access rights than the original user.

When an attacker tricks an authenticated user’s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the authenticated user. This applies to all modification operations provided by the REST interface.

The attacker may use a cross-site scripting attack to do this, or they may present a link to the victim.